Fix security vulnerabilities across Azure ML environments #4501
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- GHSA-887c-mr87-cxwp: Upgrade torch from 2.7.1 to 2.8.0 in all affected environments - GHSA-36rr-ww3j-vrjv: Upgrade keras from 3.11.0 to 3.11.3 in tensorflow environment - GHSA-4xh5-x5gv-qwph: Upgrade pip to latest secure version across all environments Environments fixed: - automl environments (ai-ml-automl-*) - fine-tuning environments (acft-*) - general ML environments (sklearn, lightgbm, tensorflow) - vision processing environments - pytorch environments All fixes maintain backward compatibility while resolving critical security issues.
Test Results for assets-test12 tests 10 ✅ 4h 53m 34s ⏱️ For more details on these failures, see this check. Results for commit 7fed714. ♻️ This comment has been updated with latest results. |
- PyTorch 2.8.0 requires Python 3.10 or higher - Updated all AutoML environments using Python 3.9 to Python 3.10 - This resolves the conda solver error: 'nothing provides __cuda needed by pytorch-2.8.0' Environments updated: - ai-ml-automl - ai-ml-automl-dnn - ai-ml-automl-dnn-forecasting-gpu - ai-ml-automl-dnn-gpu - ai-ml-automl-dnn-text-gpu - ai-ml-automl-dnn-vision-gpu - ai-ml-automl-gpu
Keep only working environments in this branch: - Removed torch 2.8.0 upgrades from automl environments with azureml-automl-runtime conflicts - These environments will be fixed separately in ravichak/10OctVulFixes-2 branch Working environments retained: - acpt-grpo (fine-tuning) - tensorflow-2.16-cuda12 (keras fix) - sklearn-1.5, lightgbm-3.3 (general ML) - automl-dnn-vision-gpu (vision) - All other non-conflicting environments Problematic environments moved to separate branch for specialized fixes: - ai-ml-automl-* environments (azureml-automl-runtime urllib3 conflicts) - ai-ml-automl-dnn-text-gpu* (transformers and torch version conflicts)
|
This pull request has been marked as stale because it has been inactive for 14 days. |
|
This pull request has been automatically closed due to inactivity. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Environments fixed:
All fixes maintain backward compatibility while resolving critical security issues.